$ dnssec-keygen -a HMAC-SHA1 -b 160 -n HOST <keyname>
The key will be stored as a private and public keyfile pair
K<keyname>+161+<keyid>.private and K<keyname>+161+<keyid>.key
where
<keyname> is the DNS name of the key.
<keyid> is the (generated) numerical identifier used to
distinguish this key.

Other algorithms may be substituted for HMAC-SHA1 in the above example.

It is recommended that the keyname be globally unique and incorporate the fully qualified domain names of the resolver and nameserver in that order. It should be possible for more than one key to be in use simultaneously between any such pair of hosts.

Although the formats differ, the private and public keys are identical and both should be stored and handled as secret data.